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(57) ABSTRACT 

The present invention involves a desktop administration 
system and method which allows a network administrator to 
remotely create, protect, and manage desktops and control 
file systems across a network. The method involves masking 
operation of the network providers while obtaining a user 
security information record relating to the user's allowed 
scope of access to the network providers. Next, the operation 
of the user is enabled only with the network providers 
authorized based on the user security information record. 
Finally, the user's interaction with each network provider is 
monitored and the user is only allowed to act consistent with 
the user security information record. Each workstation 
includes a personal desktop facility (PDF) and a Daemon 
which protects the user's desktop. The PDF receives desktop 
information from the network server and builds a desktop 
which the user manipulates to invoke local and/or network 
programs and access local and/or network utilities, provid- 
ing appropriate keys or other authentication information to 
access restricted network resources. The Daemon serves as 
an interface for the PDF by channeling any communication 
to or from the user or the network, preventing unauthorized 
transactions at either the workstation or network level. The 
PDF provides a graphic user interface using objects that 
encapsulate programs with data, such as user preferences, 
default directories, and access privUeg^'ThVDiremonper- 
f67ms~ many tasks, including "starting" the ~PDF,~e numerating 
the windows of the graphic user interface, and recording 
operations. 

30 Claims, 3 Drawing Sheets 
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NETWORK PROVIDER LOOP SECURITY 
SYSTEM AND METHOD 

CROSS-REFERENCE TO RELATED 
APPLICATIONS 

The present application is a continuation-in-part of U.S. 
patent application Scr. No. 08/854,490, filed May 12, 1997, 
U.S. Pat. No. 6,061,795, which is a continuation-in-part of 
U.S. patent application Ser. No. 08/509,688, filed Jul. 31, 
1995 now abandoned. 

MICROFICHE APPENDIX 

This application includes by reference the microfiche 
appendix of U.S. patent application Ser. No. 08/509,688, 
having 722 frames, and the microfiche appendix of U.S. 
patent application Ser. No. 08/854,490, having 1070 frames. 
This application also includes a microfiche appendix of 568 
frames. A portion of the disclosure of this patent document 
contains material which is the subject to copyright protec- 
tion. The copyright owner has no objection to the facsimile 
reproduction by anyone of the patent document or the patent 
disclosure, as it appears in the Patent and Trademark Office 
patent files or records, but otherwise reserves all copyright 
rights whatsoever. 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The invention relates to network administration software. 
More specifically, the field of the invention is that of 
network administration software for managing user work- 
stations access to resources on a network. 

2. Description of the Related Art 

Computer networks are arranged so that a multitude of 
users can access common network resources. Each user has 
a workstation, typically a stand alone personal computer 
which is connected through a suitable communications link 
to the other computers of the network. The network admin- 
istrator is a program which runs on the network server or an 
administrator workstation which coordinates and manages 
the access and security of the users on the network. The 
management of users involves allocating and facilitating 
access to resources such as programs and data files which are 
needed or desired by particular users. In the process of a user 
connecting to the network, a network interface program is 
used to identify, verify, and authorize a network user access 
to various network resources. The security provisions 
involve allowing only the appropriate users access to certain 
programs and data files to maintain the integrity and privacy 
of the network system. 

Networks can be administered by a single operating 
system running on the components of a network can coor- 
dinate desktop and servers, for example a version of the 
Windows NT operating system by Microsoft Corporation. 
Alternatively, a combination of single computer operating 
systems, including both desktop client and server based 
operating systems, interacting through a communications 
layer supported by a network operating system, for example 
a version of the Windows operating system by Microsoft 
Corporation and a version of the Netware operating system 
by Novell Corporation. In either situation, first a network 
user must gain access, or logon, to the computer network and 
second the network user must gain access to program(s) on 
the server. A logon interface package termed a GINA 
(Graphical Identification aNd Authentication) is used to 
obtain the user name and password from the workstation and 
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assign operating system SIDs (Security Identifiers) to the 
user's workstation session. For the single operating system, 
the GINA provides a high level of security, but for the 
combination of single machine operating systems, a possible 

5 security breach may exist between the workstation logon 
and the network logon. 

Desktop administration programs provide each user with 
an individual view of the user's workstation configuration, 
the network, and the resources available over the network. 

10 Such programs conventionally provide a graphic user inter- 
face and operate under several constraints. One constraint 
involves the transparency of the desktop administration 
program. Transparency in this context means the ability of 
a user to ascertain the presence of the program merely from 

15 observing the operation of the user's workstation. Ideally, a 
user should not be able to detect the presence of the desktop 
administration program. Another constraint involves the 
underlying operating system of the workstation computer 
and the network. Ideally, the desktop administration pro- 

20 gram should not interfere with the operation of any portion 
of the underlying operating system. The management of 
individual user preferences also constrains desktop admin- 
istration programs. Ideally, the user's modifications of a 
desktop configuration should not corrupt the desktop admin- 

15 istration program's management of user desktops. Known 
desktop replacement or administration programs have dif- 
ficulties in one or more of these constraints. 

In order for the desktop administration program to pro- 
vide access to a network resource, the desktop user must 
create an authenticated connection over the network. A 
Registry program on the workstation sets up and helps to 
administer the authenticated connection, allowing the desk- 
top user to operate with the network resources. The Registry 
maintains a list of network resources and identifiers so that 
the workstation can determine when a network message is 
intended for the local desktop. Also, the Registry may 
include access information relating to the user. 
Conventionally, the operating system is entered as the "pri- 
mary process" and has precedence over all the other pro- 
cesses in the multi-tasking environment. All other processes 
are secondary processes, and can be interrupted, terminated, 
or otherwise controlled by the primary process. For secure 
communications with network resources, the Registry may 
include security identifiers (SIDs) such as session encryption 
keys, passwords, or the like. One potential problem with the 
aforementioned possible security breach involves corruption 
and manipulation of the Registry list and the information 
and codes contained within the Registry list. 

0 What is needed is a desktop administration program 
which alleviates the above identified constraints, works in 
concert with the operating system and its standard graphic 
user interface, and mitigates the risks involved with the 
possible security breach between the workstation logon and 

5 the network logon. 

SUMMARY OF THE INVENTION 

The present invention is a desktop administration system 
and method which allows a network administrator to 

60 remotely create, protect, and manage desktops across a 
network. The invention operates to fill the gap between the 
workstation and network logon procedures so that the local 
user stays within the predefined security profiles. The meth- 
odology used involves the program of the present invention 

65 installing itself as the controlling process invoked by the 
workstation and preventing any other process from gaining 
control of the user terminal. The invention then provides a 
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graphic user interface to construct user desktops, apply FIG. 2 is a flow chart diagram of the operation of the 

restriction options, maintain transaction logs, and password present invention relating to workstation desktop operation, 

protect any object accessible from the user workstation. The FIG. 3 is a flow chart diagram of the operation of the 

invention allows these functions without altering how a user present invention in an embodiment relating to the network 

works on the desktop, or the capacities of the underlying 5 provider loop. 

operating system or network. Corresponding reference characters indicate correspond- 

Each workstation includes a personal desktop facility i ng par ts throughout the several views. Although the draw- 

(PDF) and a Daemon which protects the user's desktop. The i ngs represent embodiments of the present invention, the 

personal desktop facility receives desktop information from drawings are not necessarily to scale and certain features 

the network server and builds a desktop which the user 10 may t» e exaggerated in order to better illustrate and explain 

manipulates to invoke local and/or network programs and the present invention. The exemplification set out herein 

access local and/or network utilities. The PDF further ere- illustrates an embodiment of the invention, in one form, and 

ates the expected links and interfaces with network such exemplifications are not to be construed as limiting the 

resources for the user's profile, while the other programs scope of the invention in any manner, 

running on the workstation have no cognition of the change is 

of control. The Daemon serves as an interface for the DESCRIPTION OF THE PRESENT INVENTION 

personal desktop facility by channeling any communication Xhe embodiment disclosed below is not intended to be 

to or from the user or the network, preventing unauthorized exhaustive or limit the invention to the precise form dis- 

transactions at either the workstation or network level. ck)sed in the following detai i ed Ascription. Rather, the 

The personal desktop facility (PDF) provides a graphic 20 embodiment is chosen and described so that others skilled in 

user interface using objects that represent collections of the art may utilize its teachings. 

programs and data, such as user preferences, default The detaikd descriptions which follow are preseil ted in 

directories, and access privileges. The PDF can create part in terms of algorithms and symbolic representations of 

objects, remove objectsrand alter object settings. Providing operations on data bits within a computer memory repre- 

a user with the proper collection of objects with the proper 25 seming a i phanumer i c characters or other information. These 

settings creates a workstation tailored to the users needs, descriptions and representations are the means used by those 

thus increasing the efficiency of the user. skiUed in the aft of data proceS sing arts to most effectively 

The daemon has many tasks, including starting the PDF, convey the substance of their work to others skilled in the 

enumerating the windows of the graphic user interface, and ar t. 

recording operations. Starting the PDF may involve obtain- 30 ^ algorithm is here> and generally, conceived to be a 

ing security clearance, and includes loading the user's self-consistent sequence of steps leading to a desired result, 

desktop from the server. Enumerating the windows of the These steps are those requiring physical man i pu lations of 

graphic user interface facilitates proper operation of the physical quantities . Usually, though not necessarily, these 

desktop and the programs running under it. Recording quantities take the form of electrical or magnetic signals 

operations may involve creating a log of user operations, capaMe of being storedj tran sf er red, combined, compared, 

such as tagging or signaling events when they occur, noting and olherw ise manipulated. It proves convenient at times, 

the usage or passwords, and the startup and exit of the principally for reasons of common usage, to refer to these 

desktop from the network connection. signals as bits> valueSj symbolS) characters, display data, 

The present invention provides several significant advan- 4Q terms, numbers, or the like. It should be borne in mind, 

tages. The network administrator may standardize desktops however, that all of these and similar terms are to be 

quickly and uniformly by manipulating the server's database associated with the appropriate physical quantities and are 

of personal desktop profiles, or by modifying common merely used here as convenient labels applied to these 

desktop objects which are stored on the server. Users may quantities. 

also be mobile across the network, because regardless of 45 Some algorithms may use data structure s for both input- 
which machine they use, the PDF will load their personal ling inforrnation and prc)ducing the desired result. Data 
desktop file from the network server. The Daemon further struc t U res greatly facilitate data management by data pro- 
protects the desktop from inadvertent damage, and prevents cessing systems> and are not accessible except through 
intentional alteration of the network architecture. sophisticated software systems. Data structures are not the 
The present invention, in one form, relates to . 50 information content of a memory, rather they represent 
The present invention, in another form, is a method for . specific electronic structural elements which impart a physi- 
Further aspects of the present invention involve . cal organization on the information stored in memory. More 
Another aspect of the invention relates to a machine- than mere abstraction, the data structures are specific elec- 
readable program storage device for storing encoded instruc- trical or magnetic structural elements in memory which 
tions for a method of providing user access to resources in 55 simultaneously represent complex data accurately and pro- 
a network of computers including a server and a workstation vide increased efficiency in computer operation, 
according to the foregoing method. Further, the manipulations performed are often referred to 

RRTFF nPSPRIPTTON OF TTTF nR AWTNPS in terms ' such 35 ^P^g or addin g> commonly associated 

BRIEF DESCRIPTION OF THE DRAWINGS wilh mcntal opcrations pcr f ormc d by a human operator. No 

The above mentioned and other features and objects of 60 such capability of a human operator is necessary, or desir- 

this invention, and the manner of attaining them, will able in most cases, in any of the operations described herein 

become more apparent and the invention itself will be better which form part of the present invention; the operations are 

understood by reference to the following description of an machine operations. Useful machines for performing the 

embodiment of the invention taken in conjunction with the operations of the present invention include general purpose 

accompanying drawings, wherein: 65 digital computers or other similar devices. In all cases the 

FIG. 1 is a schematic diagrammatic view of a computer distinction between the method operations in operating a 

network using the present invention computer and the method of computation itself should be 
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recognized. The present invention relates to a method and operations naturally flows out of the interactions between 

apparatus for operating a computer in processing electrical the objects in response to the stimulus and need not be 

or other (e.g., mechanical, chemical) physical signals to preordained by the programmer. 

generate other desired physical signals. Although object-oriented programming makes simulation 

The present invention also relates to an apparatus for 5 of systems of interrelated components more intuitive, the 

performing these operations. This apparatus may be specili- operation of an object-oriented program is often difficult to 

cally constructed for the required purposes or it may com- understand because the sequence of operations carried out 

prise a general purpose computer as selectively activated or by an object-oriented program is usually not immediately 

reconfigured by a computer program stored in the computer. apparent from a software listing as in the case for sequen- 

The algorithms presented herein are not inherently related to 10 tially organized programs. Nor is it easy to determine how 

any particular computer or other apparatus. In particular, an object-oriented program works through observation of 

various general purpose machines may be used with pro- the readily apparent manifestations of its operation. Most of 

grams written in accordance with the teachings herein, or it the operations carried out by a computer in response to a 

may prove more convenient to construct more specialized program are "invisible" to an observer since only a relatively 

apparatus to perform the required method steps. The 15 few steps in a program typically produce an observable 

required structure for a variety of these machines will appear computer output. 

from the description below. In the following description, several terms which are used 
The present invention deals with "object-oriented" frequently have specialized meanings in the present context, 
software, and particularly with an "object-oriented" operat- The term "object" relates to a set of computer instructions 
ing system. The "object-oriented" software is organized into 2 o anc * associated data which can be activated directly or 
"objects", each comprising a block of computer instructions indirectly by the user. The terms "windowing environment", 
describing various procedures ("methods") to be performed "running in windows", and "object oriented operating sys- 
in response to "messages" sent to the object. Such operations tern" are used to denote a computer user interface in which 
include, for example, the manipulation of variables and the information is manipulated and displayed on a video display 
transmission of one or more messages to other objects. 2 5 sucn as within bounded regions on a raster scanned video 
Messages are sent and received between objects having display. The terms "network", "local area network", "LAN", 
certain functions and knowledge to carry out processes. "wide area network", or "WAN" mean two or more corn- 
Messages are generated in response to user instructions, for puters which are connected in such a manner that messages 
example, by a user activating an icon with a "mouse" may be transmitted between the computers. In such corn- 
pointer. Also, messages may be generated by an object in 30 puter networks, typically one or more computers operate as 
response to the receipt of a message. When one of the a "server", a computer with large storage devices such as 
objects receives a message, the object carries out an opera- hard disk drives and communication hardware to operate 
tion (a message procedure) corresponding to the message peripheral devices such as printers or modems. Other 
and, if necessary, returns a result of the operation. Each computers, termed "workstations", provide a user interface 
object has a region where internal states (instance variables) 35 so that users of computer networks can access the network 
of the object itself are stored and where the other objects are resources, such as shared data files, common peripheral 
not allowed to access. One feature of the object-oriented devices, and inter-workstation communication. Users acti- 
system is inheritance. For example, an object for drawing a vate computer programs or network resources to create 
"circle" on a display may inherit functions and knowledge "processes" which include both the general operation of the 
from another object for drawing a "shape" on a display. 40 computer program along with specific operating character- 

A programmer "programs" in an object-oriented program- istics determined by input variables and its environment, 

ming language by writing individual blocks of code each of The terms "desktop", "personal desktop facility", and 

which creates an object by defining its methods. A collection "PDF" mean a specific user interface which presents a menu 

of such objects adapted to communicate with one another by or display of objects with associated settings for the user 

means of messages comprises an object-oriented program. 45 associated with the desktop, personal desktop facility, or 

Object-oriented computer programming facilitates the mod- PDF. When the PDF accesses a network resource, which 

eling of interactive systems in that each component of the typically requires an application program to execute on the 

system can be modeled with an object, the behavior of each remote server, the PDF calls an Application Program 

component being simulated by the methods of its corre- Interface, or "API", to allow the user to provide commands 

sponding object, and the interactions between components 50 to the network resource and observe any output. The term 

being simulated by messages transmitted between objects. "Daemon" refers to a program which is not necessarily 

An operator may stimulate a collection of interrelated apparent to the user, but which is responsible for transmit- 

objects comprising an object-oriented program by sending a ting messages between the PDF and the network server and 

message to one of the objects. The receipt of the message for protecting and regulating the user's ability to use and 

may cause the object to respond by carrying out predeter- 55 modify network resources. Although the following descrip- 

mined functions which may include sending additional tion details such operations in terms of a graphic user 

messages to one or more other objects. The other objects interface using icons, the present invention may be practiced 

may in turn carry out additional functions in response to the with text based interfaces, or even with voice or visually 

messages they receive, including sending still more mcs- activated interfaces. 

sages. In this manner, sequences of message and response 60 A computer network is shown in block diagram form in 
may continue indefinitely or may come to an end when all FIG, 1, showing the general orientation and arrangement of 
messages have been responded to and no new messages are the software operating on the computer equipment, includ- 
being sent. When modeling systems utilizing an object- ing the server administration, the workstation PDF, and the 
oriented language, a programmer need only think in terms of Daemon software. Network 20 includes at least one server 
how each component of a modeled system responds to a 65 22 and at least one, and typically dozens or hundreds, of 
stimulus and not in terms of the sequence of operations to be workstations 24. Server 22 and workstations 24 are con- 
performed in response to some stimulus. Such sequence of nected by communication line 26 which may be an ethernet 
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cable or another suitable device. Network 20 also includes and resources which are specifically identified for the user 

several shared peripheral devices, such as disk storage 28 on tSec file 50. Thus, with the first embodiment of the present 

(typically coupled directly to server 22, although connection inV ention (disclosed in the source code appendix of first filed 

through communication line 26 is also possible) prmters30, Ucation) access conlrol is first maintained at the level of 

modems 32, and router 34. ADMIN (administration) soft- 5 , . ' , , - 

ware 36 resides on server 22, and generally controls com- workstations 24 to enhance the protection of server 22. 
municalions between the components of network 20. For 
example, ADMIN software 34 typically controls access to 

disk storage 28, the scheduling of printing jobs on printers In a second embodiment of the invention (disclosed in the 
30, the allocation of modems 32, and the transmission of 30 source code appendix of the second filed application), 

information through router 34. ADMIN 36 on server 22 locks out the user from the file 

Each workstation 24 includes a computer with a monitor system software at workstation 24, and only a properly 

and keyboard, such as a standard personal computer (e.g., an configured desktop provided by PDF 44 can present a key to 

IBM-PC type or Macintosh) or an advanced computer (e.g., un i ock the file system and access resourc es on server 22. The 

a Next or SPARC workstation), and may include its own 35 i m pi erne ntation of the second embodiment with the OS/2 

peripheral devices such as tocal printer 38, local modem 40 ^ ffl indudes severa , fou(ines of 3fi 

or local disk storage 42. With the present invention, each u . , . ° 4 t . , . . t c 4 ? ^ ^v,^ 

workstation 24 includes PDF 44 and Daemon 46. PDF 44 wmch . interact Wlth certam features of the 0S/2 

provides a graphic user interface, or "desktop", to the operating system to achieve this file lock out. However, one 

programs and resources available on its workstation 24 and 20 of ordinary skill in this art would readily appreciate that such 

generally through network 20. Daemon 46 serves as an server access control lock-outs may be implemented with 

intermediary between ADMIN 36 and PDF 44, filtering out any operating system by a suitably designed program oper- 

unauthorized activities and maintaining the integrity of the ating with the benefit of system administration privileges, 
desktop. ADMIN 36 only accepts requests and receives 

messages from Daemon 46, so PDF 44 is required to access 2 5 

information and programs through Daemon 46, and must The present invention may be best explained using the 
send all of its information to ADMIN 36 through Daemon paradigm of an object oriented operating system. However, 
46. Further, PDF 44 may only change the parameters of the one of ordinary skm in the operating system programming 
desktop through Daemon 46 and Daemon 46 determines ^ izes lhat all ti tems be abstracted 
what operations are permissible based on criteria supplied ™ A _ . , , . . ^ . . . , 
from ADMIN 36. Daemon 46 includes both an initiation to conform Wlth ob J ecl onented principles so 
routine (contained in the source code file KP2WPS.C of the lhat a P r °g ra mmer may impose object oriented program- 
first filed application) and a periodic checking routine mm & principles on any operating system. The exemplary 
(contained in the source code file KP2SIIURC of the first embodiment of the present invention works in conjunction 
filed application) to implement these functions. With this 35 with the OS/2* operating system developed and sold by 
arrangement, which is explained in further detail below and International Business Machines, Incorporated (IBM) 
in the source code appendix, the integrity of each desktop is (""OS/2" is a trademark of IBM). The OS/2 operating 
maintained by Daemon 46, and permanently maintained by system formally identifies and utilizes objects as part of its 

operating schema, wherein the individual processes man- 
In accordance wto the present invention, disk 28 of server 40 aged by th e OS/2 operating system are encapsulated by 

22 stores .sec file 50 (the logical designation of .sec file 50 u - . u* u j c ,u . j t 

... , v h , . \v . • objects which define the computer programs, data, icons, 

may include several separate physical files which are inter- ... , , I 

related through logical connections). ADMIN software 36 aCcesS P rivlle S es > and other attnb " tes effectlQ S the of 

uses the information contained in .sec file 50 to specify the the P rocess to influence or alter other portions of the system. 

menu of computer programs and network resources which 45 Man y similar operating systems use an object oriented 

may be referenced by the desktops of the users of network operating schema, and thus the present invention is directly 

20. .sec file 50 may be a general file for all the users of applicable to many conventional operating systems, includ- 

network 20. Alternatively, .sec file 50 may represent a ing Windows95 and WindowsNT made by Microsoft Cor- 

collection of files, which each file corresponding to a par- poration. 

ticular user or a particular class of user. Another alternative 50 

is a hybrid approach, wherein the menu information has a 

common component and a user specific component. In any i n an object oriented operating system, programs and the 

event, this arrangement allows for a network administrator processes lhey create may be associated with a class which 

to directly manipulate .sec file 50 with ADMIN software 36 . _ . , . ^ , j • 

~~ ... has common characteristics. The class designation commu- 

on server 22 to modify, customize, and/or maintain the 55 . . . , . . 

j 1 , ♦ 1 *u iu u • * u l nicates to the operating system that the class member 

desktops across a network, rather than having to change each . K & J 

desktop configuration locally. includes a predefined set of characteristics. Access pnvi- 

In addition to ADMIN 36 creating .sec file 50 to record a le § es and clearances may be set for classes rather 

user's desktop configuration on server 22, the present inven- than havm S to ldentif y such ^formation for every individual 

tionusesPDF44to enforce the user's desktop configuration 60 ob i ect or Process. Also, PDF 44 and ADMIN 36 may be 

directly on workstation 24. PDF 44 operates on the assump- designed to include security and control algorithms which 

tion that unless the user is specifically authorized to access can tar S ct classes of processes rather than only singly 

a particular computer program or resource, that user's work- identified processes. The following example of a .sec file 

station should not be allowed to manipulate or interact with used in the second embodiment of the invention as a default 

that particular item. Only upon receiving .sec file 50 from 65 desktop profile, implemented in this embodiment as a flat 

ADMIN 36 does PDF 44 construct a desktop for the user, text file, provides several class designations along with the 

and that desktop only provides access to computer programs other desktop information. 
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[Master] ENABLESECURri-y=OBJECTS;RESrrRICIUNDEF-YES;DESC-Defeu It Workstation 

Dcsktop;PASSWORD=sScuoJoEycEK6f a^H Au-^- GU§Yfe OO; LOG-BCD; 
[Folder] TITLE-Desktop; CLASS-DskDesktop; OBJECTID«<WP_DESKTOP>; 
ICONRESOURCE-56,PMWRDLL; D EFAU LTVI EW-OP EN„DEFAU LT; POPUP-6258802; 
HELPPANEL-4000; MINWIN-VIEWER; NOCOPY-YES; NODELETE-YES; NOPRINT-YES; 
BYPSSETUP-YES; WINLIST-YES; INCCHLD-YES; BACKGROUND- 
C:\OS2\BITMAP\BUBBLPAD.BMP, T, 0, I, 163 163 148; ICONFONT-S.Helv; 
ICONVIEW-NOGRID,NORMAL; TRE EFONT-8. He 1 v; TREEVIEW-MINLUNES; 
DETAILS FONT-8.IIelv; 

[Folder] TITLE-OS/2 System; CLASS-PRDirectory; OBJECTID=<DO_OS2SYS>; 
PARENTID=<WP_DESKTOP>;SHADOWID=<WP__OS2SYS>; ICONPOS-8, 80; 
DEFAULTVIEW=»184, 345, 716, 291; HELPPANEL=4002; M INWI N= VIEWER ; NOCOPY-YES; 
NODELETE-YES; NODRAG-YES; NODROP-YES; NOMOVE-YES; NO RENAME-YES; 
NOLINK-YES; NOSETTTINGS-YES; NOPRINT-YES; WINLIST-YES; 
BACKGROUND-(none),„C,255 255 236; ICONFONT=8.Helv; ICONVIEW=FLOWED,MINI; 
TREEFONT-8.Helv; TREEVIEW=M INI, LINES; DETAILSFONT-8. Helv; 

[Folder jnTLE-Connections; CLASS-PRDirectory; OBJ ECnD-<DO_CONNECTIONS FOLDER >; 
PARENTID-<WP_DESKTOP>; SHADOW ID=<WP_CONNECTIONSFOLDER>; ICONPOS=8,62; 
DEFAULTVIEW-OPEN_DEFAULT; HELPPANEL-1277; MINWIN-VIEWER; NOPRINT-YES; 
WINLIST-YES; BACKGROUND-(none),„ C, 255 255 236; ICONFONT-8.Helv; 
ICONVIEW-NOGRID, NORMAL; TREEFONT-8.Helv; TREEVIEW-MINI,LINES; 
DETAII.SFONT-8.Helv; 

[Folder] TITLE- Assistance Center; CLASS-PR Directory; OBJECTID=<DO_ ASSISTANCE^ 
PARENTID=<WP_DESKTOP>; SHADOWID=<WP_ASSISTANCE>; ICONPOS-8,71 ; 
DEFAULTVIEW=OPEN_DEFAULT; HELPPANEL-1277; MINWIN-VIEWER; NOPRINT-YES; 
WINLIST-YES; BACKGROUND=(rione)„,C,255 255 236; ICONFONT-S.Helv; 
ICONVIEW-FLOWED^IINI; TREEFONT-8. Helv; TR EEVIEW-M INCLINES; 
DETAILSFONT=8.Helv; 

[Folder] TITLE-Programs; CLASS-PR Directory; OBJECT! D«<DO_PROG RAMS FOLDER>; 
PARENTID-<WP_DESKTOP>; SHADOWID=<WP_PROGRAMSFOLDER>; ICONPOS-8,53; 
DEFAULTVIEW=OPEN_DEFAULT; HELPPANEL-1277; MINWIN-VIEWER; NOPRINT-YES; 
WINLIST-YES; BACKGROUND-(none),„C,255 255 236; ICONFONT=8.Arial; 
ICONVIEW-FLOWED,MINI; TREEFONT-8. Arial; TREE VIE W-M INCLINES; 
DETAILSFONT=8.Arial; 

[Folder] TITLE- WebExplbrer; CLASS-PRDirectory; OBJECTID-<DO_WC_WEBEX_FOLD0>; 
PARENTID-<WP_DESKTOP>; SHADOWID-<WC_WEBEX_FOLD>; ICONPOS-8,44; 
DEFAULTVIEW-OPEN_DEFAULT; HELPPANEL-1277; MINWIN-VIEWER; NOPRINT-YES; 
WINLIST-YES; BACKGROUND-(none),„C,255 255 236; ICONFONT-9 .Warp Sans; 
ICONVIEW=NOGRID,NORMAL; TREEFONT=9.WarpSans; TREEVIEW=MINI,LINES; 
DETAILSFONT-9.WarpSans; 

[Object] TITLE-Shrcddcr; CLASS-WPShrcddcr; OBJECTID=<DO_SHRED>; 
PARENTID-<:WP_DESKTOP>; SHADOW ID=<WP_SHRED>; ICONPOS-88,32; 
ICONRESOURCE=28,PMWP.DLL; DEFAU LTVI EW-0 P EN_DEFAU LT; HELPPANEL-1190; 
MINWIN-VIEWER; NOCOPY~YES; NODELETE-YES; NOPRINT-YES; WINLIST-YES; 
[Object] TITLE-Templates; CLASS -DskShadow; 

OBJECTID=<DO_TemplatesODskShadowDskDesktop>; PARENTID=<WP_DESKTOP>; 
SHADOWID«<WP_TEMPS>; ICONPOS-8,34; DEFAU LTVI EW=OPEN_DEFAULT; 
HELPPANEL-15680; MINWIN-VIEWER; NOPRINT-YES; WINUST-YES; 
[Object] TITLE-Black Hole; CLASS -BlackHole; OBJECTID=<DO_BLACKHOLE0>; 
PARENTID-<WP_DESKTOP>; S HADOWID- <BLACKHOLE> ; ICONPOS-80,32; 
ICONRESOURCE=22,PMWP.DLL; DEFAU LTVI EW-OPEN_DEFAULT, MINWIN-VIEWER; 
NOPRINT-YES; WINUST-YES; 

[Pad] TITLE-LaunchPad; CLASS-WPLaunchPad; OBJECTI D-<DO_LAUNCHPAD>; 
PARENTID-<WP_DESKTOP>; ICONPOS-79,87; ICONRESOURCE-74 f PMWP.DLL; 
DEFAULTVIEW-OPEN_DEFAULT; HELPPANEL-32253; CCVIEW-NO; MINWIN-VIEWER; 
NOPRINT-YES; WINUST-YES; FPOBJECTS-<WPPO_IBM LASER >,<WP_DRIVE_A>, 
<WP_OS2WIN>,<WP_ASSISTANCE>,<WP_SHRED>; LPACTIO NSTYLE-TEXT; 
LPHIDECTLS-YES; 

DRAWEROBJECTS=3,<WP_WIN2WIN>,<WP_DOSWIN> * ;2,<WP_DRIVES>; 
[Program] TITLE=Verify"r"nDefects; C LASS- WP Program; 

OBJECTID=<DO_Vertfy_DefectsOWPProgramDskDesktop>; PARENTID=<WP_DESKTOP>; 

SHADOWID=<DU_Verify_DefectsOWPPrograniDskDesktop>; ICONPOS-88,67; 

DEFAULTVIEW=OPEN_DEFAULT; HELPPANEL-4083; CCVIEW«NO; MINWIN-VIEWER; 

NOPRINT-YES; USEPARENT-YES; WINLIST-YES; EXENAME=D:\TOOLS\VERDFCT.CMD; 

PROGTYPE-WINDOWABLEVIO; 

[Program] TTTLE-Sky Scraper; CLASS- WPProgram ; 

OBJECTID-<DO_SkyScraperOWPProgramDskDesktop>; PARENTID=<WP_DESKTOP>; 
SHADOWID-<DU_SkyScraperOWPProgramDskDeskLop>; ICONPOS-9,90; 
DEFAULTVIEW-OPEN_DEFAULT; HELPPANEL-4083; CCVIEW-NO; MINW IN- DESKTOP; 
NOPRINT-YES; LNCHPROG-0\OS2\E.EXE; EXITPROG=C:\OS2\ICONEDIT.EXE; 
E VENTEXIT- YES ; EVENTLNCH-YES; GLBLPW-YES; 
EXENAME-C:\SKY^SKY.EXE;PARAMETERS-/ao/rl/d2/jl/g2/ml/x2; 
STARTUPDIR-C:\SKY;PROGTYPE-PM; 
[Program] TITLE-Rejected YnDefects; 

CLASS-WPProgram;OBJECTID-<DO_Rej'ected_DefectsOWPProgramDskDesktop>; 
PARENTID-<WP_DESKTOP>; SHADOW ID- <DU_R ej ected_De f ectsOWP ProgramDskDesktop> ; 
ICONPOS-89,45; DEFAU LTVI EW-0 PEN_DEFAULT; HELPPANEL-4083; MINWIN-VIEWER; 
NOPRINT-YES; WINUST-YES; EXENAME«D:\TOOLS\REJECT.CMD; 
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-continued 



PROGTY1 , E=WINDOWABLEVIO; 

[Datafile] TITLE«config.sys; CLASS- WPData File; OBJ12Cni><DO_C__config_sysO>; 
PARENTID=<WP_DESKTOP>; SHADOWID=C:\config.sys; DEFAULTVIEW=OPEN_DEFAULT; 
NVBLDORIG-YES; VPF=C:\DSKOBV; HELPPANEL=4082; CVIEW=YES; 
MDEBUTTON-YES; MINWIN-DESKTOP; WINLIST-YES; LOG-ABCD; 
[Object] TITLEoDrive D;CLASS<=PRDisk; OBJECTID=<DO_DRlVE_D>; 
PARENTID-<WP_DESKTOP>; SHADOWID=<WP_DRIVE_D>; 
ICONRESOURCE=13,PMWP.DLL; DEFAU LTVI E W= 120; HELPPANEL-8015; 
MINWIN-VIEWER; NOCOPY-YES; NODELETE=YES; NOMOVE=YES; NOPRINT=YES; 
WINLIST-YES; 

[PrLnter] TITLE-IBM Laser - Optra E; CLASS=WPRPrinter; 
OBJECTID-<DO_WPPO_IBMLASER0>; PARENTID-<WP_DESKTOP> 
;SHADOWID-<WPPO_IBMLASER>; DEFAULTVIEW-OPEN_CX)NTENTS; 
HELPPANEL-15409; CCVIEW-NO; MINWIN-VIEWER ;NOPRINT-YES; WINLIST-YES; 
NEnD=l^:\\*COIX>RADO\LASER ;ALIAS=IBMLASER;SHOWJOBS-ALL;REFRESH-25; 
[Program] TITLE-Sample Program; CLASS=WPProgram; OBJECTID=<DO_SAMPLEPROG>; 
PARENTID=<WP_DESKTOP>; DEFAU LTVIEW-OPEN_DEFAULT; CCVIEW=YES; 
IIIDEBUTTON=YES; MINWIN-IIIDE; NOTVISIBLE-YES; NOMOVE-YES; 
NORENAME=YES; NOSETTINGS=YES; TEMPLATE- YES; WINLIST-YES; 
EXE NAM E=C :\OS2\ATTRIB . EXE; PARAMETERS=+rf Enter file to write-pro tect]; 
PROGTYPE-PM; 

[Ses] TRUSTEDAPP=c:\os2\e.exe;RUNWARN=l;LOG=.AD; 

iSesj F]XE=autoexecbat;D[R=c:;ljOCK=FlI^;RUNWARN-0;FlLF^TTR=RWDM;LOG=aceg; 
[Ses] DIR=c:\os2; LOCK=DIR; SUBDIR=YES; RUNWARN=0; FILEATTR=WDM; 
DIRATTR=CGDM; LOG=cegkmo; 

[Ses] FTLE-protocoUni; DIR=c:\ibmlan; UNLOCK-FILE; OCCUR-ALL; RUNWARN-0; 
FILEATTR-RWDM; 

[Device] PORTS-COM1,COM2 ; COM3,COM4,LPT1; LOG-ABCD; 
[Filter] TEXT-WarpCenter; BEGMTCH-YES; NOCLSWPS-YES; 

[Filter] TEXT-System; PASSWORD=a;=e[o ofyiEcoSasHr<Tio&J[] "^VS^OD; MIDMTCH-YES; 

WINLIST-YES; IGNCASE-YES; LOG-ABCD; 

[End] 



Each initial bracketed item identifies the class of the object, 
including desktop objects, devices, filters, or file system 
objects, which is utilized by PDF 44 to invoke the appro- 
priate program, install the appropriate desktop icon, or 
initialize the appropriate resource. The first item, [Master], 
is a header block identifying the .sec file, in this instance a 
Master file for a default workstation desktop. The statement 
ENABLESECURITY-OBJECTS instructs PDF 44 to use 
security privileges on an object level ("FS" would instruct 
PDF 44 to use file system security privileges, while "BOTH" 
would enable both object and file system security), while the 
statement RESTRICTUNDEF-YES instructs PDF 44 to 
check for, and if an undefined process is found, restrict its 
access to workstation 24 and server 22. The PASSWORD 
statement identifies the default security password, which is 
encrypted, and the statement LOG=BCD activates a trans- 
action log in the background of the desktop operation. These 
and other high level instructions can thus be provided to 
PDF 44 on the workstation from the .sec file provided by 
ADMIN 36. ADMIN 36 can then block all access to network 
resources by the workstation until supplied the appropriate 
information (e.g., keys, predefined requests, or passwords) 
from PDF 44. 

The second item of the .sec file of the example, [Folder] 
TTTLE=Desktop, is the highest level class and identifies the 
desktop user interface representation of the object. The 
statement CLASS =DskDesktop indicates that the object 
belongs to the class of top level desktop display which is 
created by inheriting characteristics from the WPShell class 
and adds further characteristics utilized by the inventional 
method (the Dsk Desk top class is sometimes referred to as a 
replacement class as it replaces the WPShell class). This 
desktop class of object represents PDF 44 to the user, and the 
statements within this item of the .see file provide the default 
parameters for the user interface to PDF 44. However, PDF 
44 does not include security and privilege information 
relating to workstation process, such information being 
stored on a local .sec file which is referred to by PDF 44. 



The third item of the sec file of the example, [Folder] 
TTTLE=OS/2 System, identifies the desktop user interface 
representation of the object, and the statement CLASS= 

35 PRDirectory indicates that the object belongs to a class of 
program directories. Such a PRDirectory may be a subclass 
of a folder class, such as created by a LAN network system. 
This object represents a directory of programs to the user, 
specifically in this case a collection of OS/2 operating 
system programs. Any program activated from a particular 

40 folder inherits the privileges of the folder unless the program 
object itself overrides the inherent privileges. This item 
includes three identifications used by PDF 44 in manipulat- 
ing this or related objects, namely OBJECTID (the identifier 
of the object itself), PARENTID (the identifier of the parent 

45 of the object), and SHADOWID (the pointer to the original 
object). The item also includes several display parameters, 
and several security/privilege indicators. This "OS/2 Sys- 
tem'* item includes several identifiers and indicators which 
are used in [Folder] class items. Icons are located inside the 

50 folders, and processes started by invoking the icons will 
have default access privileges according to the security/ 
privilege statements of the originating folder, and all parent 
folders (folders which contain other folders). 
The items identified by [Pad], [Program], [Datafile], and 

55 [Printer] all deal with discreet logical and/or physical 
devices. The [Pad] item refers to a facility which can initiate 
other operations or applications, or "launch" them, e.g., 
represented by a "LaunchPad" icon. The [Program] item 
refers to an executable file which when launched creates a 
process on workstation 24 and/or server 22, and may include 

60 API initialization strings and other related data. The 
[Datafile] item refers to a data file which when launched will 
activate an associated application program executable file. 
The [Printer] item (or other "Device" item) refers to a 
peripheral computer device such as a printer, modem, 

65 joystick, or similar input and/or output device. 

The [Ses] item specifically relates to executables, 
directories, and/or devices of PDF 44 and Daemon 46 which 
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interact with the Security Enabling Services kernel features window in the forefront, with the other windows accessible 

of the OS/2 operating system. Alternatively, such an item through a command. Also in the exemplary embodiment 

could relate to separate parts of ADMIN 36 and/or Daemon with an object oriented operating system, the communica- 

46 which initially lock and can later unlock the file system. tion and implementation of processes arc achieved through 

ADMIN 36, PDF 44, and Daemon 46 arc programmed to 5 the use of objects which contain the needed information for 

recognize specially designated objects as "trusted applica- executing the process and interacting with other portions of 

tions" and allow such trusted applications access to certain the system. Each icon on the desktop has an associated 

system level files. As implemented by the present invention, object so that when PDF 44 observes the operator activating 

ADMIN 36, PDF 44, and Daemon 46 also allow "Device" a particular icon, the corresponding object may be launched 

items to be locked and/or monitored to maintain a log file of 10 and a new display window may be created, 

ah operations occurring on or through the device. Before PDF 44 can operate, however, the objects which 

The [Filter] item can be used by PDF 44 when creating or PDF 44 displays must be created. The user may first required 
operating a desktop, or by Daemon 46 during an enumera- to log in to network 20 before accessing workstation 24. 
tion routine. The filtering process may be implemented on a Daemon 46 obtains the user's desktop profile from ADMIN 
class level, or alternatively object titles may be subject to 35 36, the desktop profile being a list of objects with appro- 
such filtering. For example, a filter item may be used to priate restrictions and privileges, which may include keys or 
remove window list entries from a desktop without a user other authentication information. In addition, ADMIN 36 
prompt or acknowledgment. Another use of a filter may be may also imposed other restrictions on that desktop profile 
to keep certain processes running during the creation or transmitted to Daemon 46 based on the physical location or 
re-creation of a desktop (for example, to keep an external 20 node of the user logging on to network 20. That desktop 
communication link active even though the local desktop is profile includes general information about the restrictions 
being rebuilt). A filter may also be used to require a and boundaries applicable to PDF 44, as well as the objects 
password from PDF 44 or the user before invoking certain available to PDF 44. Daemon 46 also obtains local attribute 
objects or classes of objects. information, such as the presence or absence of local periph- 

For objects which do not fall within one of the foregoing 25 eral devices from workstation 24. PDF 44 may then transmit 

classes, the item designation [Object] provides a format for requests for creation of processes to Daemon 46, which 

a user defined object, such as an abstract non-file system determines if the requested process is permitted according to 

object. These types of abstract objects are of the .dll type, ADMIN 36 's desktop profile for that user. This arrangement 

which are not necessarily with executable files rather are allows a user to log in at any workstation 24 of network 20 

substantiated by the shell (often referred to as work place 30 and have the same desktop displayed by PDF 44. 

shell applications). Statements within this object shall be In the second embodiment of the invention, ADMIN 36 

interpreted as if the statement occurred in one of the previ- operates to lock out any user from accessing network 

ously defined classes. resources. By enabling file system level blocking, no pro- 

Although the above mentioned items may be stored in a gram or process can access a network file except through the 

single .sec file, it is also possible to store items in several 35 enabled security procedure which requires a previously 

files associated with a user. For example, the user having the established access privilege to have existed for the user. The 

user ID of JANEDOE may have the files JANEDOE.SEC .sec file 50 may contain the information needed to "unlock" 

for general configuration information, JANEDOE. SCC for the security procedure and allow a user access to the network 

common items on the desktop and start menu, JAN- resource. In this way, any user attempt to access a network 

EDOE.USR for user defined setting created on logon, JAN- 40 resource without using PDF 44 will fail. Only by using PDF 

EDOE.NSO for namespace objects that are built upon 44, which is enabled by an appropriate key or other authen- 

loading of the profile, and JANEDOE.POL for policy or tication information in the user's sec file 50, can a user 

security restrictions, each type of file storing those various access network resources. 

aspects of the JANEDOE user profile. The general sequence of operation is shown in the flow 

The present invention also provides two additional ways 45 chart diagram of FIG. 2. Workstation 24 is powered on in 

to secure the desktop, one being a hardware based restriction step 200, which may include the use of appropriate access 

and the other a context based validation. The hardware based control software. Daemon 46 obtains the parameters asso- 

restriction is maintained by an additional file ciated with that particular workstation 24, typically by 

(RESTRICT.TXT) resident on the local computer which accessing a locally stored file or performing a diagnostic 

PDF 44 checks before creating desktop objects. In this 50 routine, in step 202. For example, in the exemplary 

manner, local computers can be configured so that certain embodiment, Daemon 46 first kills any old objects which are 

sensitive applications cannot be created or invoked at certain apparent on workstation 24. After this initial cleansing, 

physical locations, regardless of the privilege level of the Daemon 46 loads a binary file stored on local disk 42 which 

user. The context based validation is a statement in a .sec file contains a set of all the possible objects for workstation 24, 

item, VPF=<path>|<filename>, which requires that the path 55 then hides those objects from display by PDF 44. Next 

or file specified be present and/or accessible by the user on Daemon 46 loads a second binary file of the active objects 

the network before PDF 44 creates the specified desktop for workstation 24. Typically, this set of active objects 

object. includes a self-launching network log on procedure, typi- 

PDF 44 thus creates a desktop which includes a graphic cally involving typing in a username and password at step 

display of icons representing programs, files, network 60 204. Further elaboration of the interface of the software of 

resources, and other related information. When the user the present invention with the network provider loop is 

launches a program or network resource and thereby creates provided in the description of FIG. 3 below, 

a new process, PDF 44 displays a new window on the In accordance with the present invention, Daemon 46 may 

monitor of workstation 24 showing the activity of the new then obtain a user network profile from ADMIN Software 36 

process. In the exemplary embodiment with a multi-tasking 65 in step 206, In the second embodiment of the invention, 

operating system, more than one process can appear on the ADMIN 36 initially blocks the user by denying all access 

desktop simultaneously. PDF 44 presents the most current privileges to network resources. Once Daemon 46 has the 
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information regarding the local workstation and the user's 
network profile, typically by accessing .sec file 50 on server 
22, PDF 44 may set up the user's desktop in step 208 by 
creating a list of objects representing the possible available 
resources, both on network 22 and workstation 24. In the 
second embodiment, PDF 44 may also obtain suitable access 
enabling information from .sec file 50 to allow the user to 
access security protected resources, such as a security key or 
other suitable authentication. At this point, workstation 24 is 
able to receive input from the user to initiate or interact with 
processes and accomplish the desired computing functions. 

Daemon 46 continues to monitor the operations of work- 
station 24 so that the user does not modify the desktop 
created by PDF 44 in circumvention of the user's access and 
security provisions. In step 210, a timer is set so that 
Daemon 46 is activated periodically. In the exemplary 
embodiment of the invention, an interval of approximately 
three (3) seconds has been selected as a suitable period for 
activating Daemon 46 with the hardware and software being 
used with the inventional system. This interval is selected to 
check sufficiently frequently to catch violations before sig- 
nificant damage has occurred, without significantly reducing 
the efficiency and responsiveness of workstation 24. Also, 
this interval is adjustable by simply changing initialization 
parameters, without requiring reconfiguration of any other 
part of the system. However, one of ordinary skill under- 
stands that the periodic interval used to call Daemon 46 is 
dependent upon the hardware and software speed. 

While the timer is running, step 212 allows the user to 
activate and manipulate workstation 24 as desired. During 
this period of operation, step 214 involves determining 
whether a termination condition has occurred, e.g., a user 
activated exit or a fatal system error, so that workstation 24 
may be shut down. Should a termination condition be 
observed, step 222 (described in greater detail below) would 
then occur. In the typical case, however, processing would 
continue until timer interrupt step 216 occurs. The timer 
interrupt causes Daemon 46 to become the active program of 
the system, which allows Daemon 46 to check on the status 
of the other processes at workstation 24. 

In the run Daemon 218 step, an enumeration process is 
conducted by the processor of workstation 24. Daemon 46 
checks every process that is present in workstation 24 
against the process information contained in its local copy of 
.sec file 50. Every process which is not found in the listing 
of .sec file 50 is processed further by Daemon 46, typically 
deleting and removing the unknown process from worksta- 
tion 24. However, other operations are possible, and some- 
times desired. For example, a message box may be displayed 
and the process may be modified according to the user's 
response to correspond to a known process. Another alter- 
native may be to record the presence of the unknown process 
in a log for use by diagnostic software. 

Known processes encountered by Daemon 46 during the 
enumeration routine may be dealt with in several ways. 
Typically, Daemon 46 checks for consistency between the 
process as noted by the desktop files by PDF 44 and the 
information from .sec file 50, making corrections when 
appropriate. Also, Daemon 46 checks the security protection 
of the process and the user for compliance with network 
security privileges. If an inconsistency is discovered, or a 
security violation, or another similar condition, then Dae- 
mon 46 may respond by: requesting a password from the 
user before allowing further access or processing; delete and 
remove the process from the desktop; record the presence of 
the process on a log file; rebuild the process using the 
original process and a user response to a message box; 
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and/or another suitable response to the observed inconsis- 
tency. When Daemon 46 completes all of its operations on 
the processes of workstation 24, the timer is reset at step 210 
and the foregoing steps are repeated. 

5 Finally, when the user is ready to terminate operation of 
workstation 24, PDF 44 requests that the potentially modi- 
fied desktop be saved in step 222. Daemon 46 receives this 
request, first filtering the newer desktop with the original 
user profile to make sure that the new desktop does not 

to violate any of the user's profile information stored on server 
22. After the new desktop has been so filtered, Daemon 46 
saves the filtered new desktop by storing the representative 
file or files on server 22. Now, the operation of workstation 
24 can be properly terminated at step 224. 

15 The general sequence of the network provider loop, as 
modified by an embodiment of the present invention, is 
illustrated in FIG. 3. While to the network, the provider loop 
sequence is operating as normal, FIG. 3 illustrates how the 
software of the present invention operates on workstation 24 

20 to achieve the objectives of the present invention. As noted 
below, several of the steps in the conventional, prior art 
provider loop operation are shown (as would be apparent at 
the network level) with the workstation alterations being 
noted in association with the several changed steps. 

25 From the perspective of the server, the provider loop for 
allowing workstation access to network programs and 
devices may be conceptually represented in six steps. The 
first step is start-up 300, in which the workstation is first 
operably connected and enabled for communication with the 

30 network. This start-up step 300 may involve the actual 
power on of the workstation computer, or alternatively may 
involve the initialization and connection of a remotely 
operating computer to the communication structure of the 
network such as by an ethernet connection or telecommu- 

35 nications hook up using telephone, ISDN, DSL, wireless, or 
cable modems. Once start-up step 300 is completed, the user 
is then prompted with a logon screen in step 302, logon 
window. 

Logon window step 302 may involve a single logon 

40 screen, such as the GINA interface of WindowsNT, or may 
have separate logon screens for the workstation operating 
system and the network operating system. Conventionally, 
users have logon names and passwords which authenticate 
the user and authorize access to the computer system. Once 

45 the logon process is completed, the workstation initiates the 
various processes needed to enable operation of the work- 
station operating system and the associated network inter- 
face programs in system initialization step 304. Next, pro- 
vider initialization step 306 involves loading the Registry in 

50 the workstation with the appropriate information relating to 
the network processes, typically including associating the 
API responsible for the user access to the network resource 
and any security or user interface parameters. 

Once the workstation is initialized, as the user attempts to 

55 access network resources, network access and authentication 
step 308 involves the Registry information to appropriately 
invoke API's to provide the user with an interface to the 
network resources such as application programs, communi- 
cations devices, printers, etc. Finally, desktop operation step 

60 310 involves the user calling such workstation and server 
based programs and/or other resources for the user's com- 
puting needs. Such operations may continue as long as the 
network connection to the workstation is maintained, but if 
the workstation's operation is broken then connection or 

65 re-connection to the network would occur in step 300. 

In accordance with the present invention, while the steps 
300-310 remain unchanged from the viewpoint of the 
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server, the operation of the workstation is significantly 
altered to maintain the security desired under the invention. 
Conceptually, PDF 44 and Daemon 46 operate to mask off 
the operating system components and directly control, 
through the parameters of .sec file 50, the user's access to 5 
workstation and network resources. Initially, this is accom- 
plished by PDF 44 and/or Daemon 46 being the first process 
started (for purposes of explaining the provider loop in 
foregoing description, software comprising PDF 44 and/or 
Daemon 46 is collectively referred to as "Desktop Security" 10 
software), which secures control of the workstation by 
preventing the user from exiting the provider loop and 
prevents any other programs from obtaining access to the 
user. Through the use of custom API's, network resources 
may be accessed by the user, but only using the security 15 
profiles and preferences indicated by the user's .sec file 50. 
This creates Registry entries which are specifically limited 
by the parameters provided by ADMIN 36 for the operations 
and permissions of the associated user. 

Thus, while the network observes logon window step 302, 20 
the workstation executes Desktop Security Override step 
303 where instead of the workstation allowing the conven- 
tional progression to system initialization 304, Desktop 
Security software is positioned placed first in the load 
sequence for system initialization step 304. Conventionally, 25 
the load sequence includes a Primary provider and the other 
provider processes. With the present invention, the Desktop 
Security software changes this sequence by naming itself as 
the Primary provider, allowing the Desktop Security soft- 
ware to secure the workstation operation against user inter- 30 
vention and mask off the potentially insecure portions of the 
operating system. This step can be combined with an addi- 
tional authentication device, such as a fingerprint, eye retina, 
or other biometric device or a smartcard or the like, to 
authenticate the identity of the user. This allows the Desktop 35 
Security initialization step 305 to occur, which involves the 
Desktop Security disabling user overrides, such as the 
control-alt-del sequence, clearing the Registry, and obtain- 
ing the user's .sec 50 file. llie Desktop Security masks calls 
by either the workstation or network operating systems, and 40 
sets up the communication protocols for the workstation and 
network, e.g., by initializing IPX addresses and the like. In 
the situation where the workstation operates with separate 
local and network operating systems, the Desktop Security 
is then able to logon to the network as a supervisor and 45 
obtain the .sec file 50 for the user of the workstation. In a 
situation where a single operating system operates the 
workstation and network, the Desktop Security replaces the 
network GINA and initially logs on as a supervisor. 

When the network is ready for provider initialization step 50 
306, the workstation executes customized API called by the 
Desktop Security using parameters suitable for the user as 
denoted in the user's associated .sec file 50. This involves 
the Desktop Security software again clearing and filling the 
empty Registry and starting customized API's for the vari- 55 
ous network resources available to the user in Desktop 
Security provider initialization step 307. The customized 
API calls are made according the user profile information 
available to the Desktop Security software from .sec file 50, 
and the Registry is appropriately updated in accordance with 60 
the privileges noted in .sec file 50. This allows network 
access and authorization step 308 and desktop operation step 
310 to actually filter through Desktop Security GUI opera- 
tion steps 309 and 311, respectively. In step 309, the Desktop 
Security software logs the user onto the various resources 65 
using the logon information received in the initial logon. In 
step 311, the Desktop Security software monitors the user's 
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operations such as accesses to the file system or network 
resources. During these operations, from the perspective of 
the network resources the workstation user has total freedom 
where in actuality, the Desktop Security software prevents 
any commands from being issued that contravene the privi- 
leges and restrictions contained in the user's .sec file 50. 
Before operation of the workstation is terminated, the Desk- 
top Security software returns the workstation to a neutral 
state in step 313, with all secondary processes being deleted 
from the Registry, the Desktop Security software being 
established as the primary process, and any network related 
processes are released or terminated as appropriate. 

The microfiche appendix contains an implementation of 
the present invention. The source code files in the appendix 
are associated with various directories. Following is a table 
showing the directories and the related source code descrip- 
tion: 



Directory Description 

dskgina This directory contains the source code of the GINA 

operating system version that takes control of the 
workstation and masks off other processes including 
operating systems, and the logon authentication 
software. 

dsknetp This directory contains the source code of the Registry 

loading and provider loop masking and monitoring 
operations of the workstation Desktop Security. 



While this invention has been described as having an 
exemplary design, the present invention may be further 
modified within the spirit and scope of this disclosure. This 
application is therefore intended to cover any variations, 
uses, or adaptations of the invention using its general 
principles. Further, this application is intended to cover such 
departures from the present disclosure as come within 
known or customary practice in the art to which this inven- 
tion pertains. 

What is claimed is: 

1. A computer network for providing a workstation user 
access to resources including at least one of local and 
network computer programs, local and network peripheral 
devices, and external communication devices, said network 
comprising: 

a server; 

a plurality of workstations coupled to said server, each 
said workstation including display means for providing 
a graphic user interface for a user; and 

communication means for transmitting messages between 
said server and said plurality of workstations; 

said server including means for providing access to at 
least one resource for a user, said user operating one of 
said workstations, said server including an operating 
system program which coordinates communications 
over said communication means; 

said workstation including desktop means for creating and 
displaying items referencing resources on a display 
means of the workstation, said workstation also includ- 
ing an operating system program which coordinates 
operation of said workstation, said desktop means 
including means for supervising operations of said 
workstation operating system according to user specific 
parameters. 

2. r ITie system of claim 1 wherein said desktop means 
includes means for calling network resources in accordance 
with said user specific parameters. 
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3. The system of claim 1 wherein said server includes a 18. The method of claim 17 wherein said logging step 
security kernel for blocking user access to resources and establishes user processes on said server according to the 
only allowing user access to resources upon receipt of a user specific parameters. 

corresponding key, said user specific parameters including 19. The method of claim 16 further including the step of 

one of said keys for allowing user access to resources via 5 clearing the registry of processes except for the security 

said security kernel, and said desktop means including process. 

means for unlocking user access to said resources by trans- 20. The method of claim 19 further including the step of 

mining one of said keys to said security kernel. neutralizing the workstation by clearing all processes from 

4. The system of clainrl wherein said desktop means the registry except the security process and ending connec- 
includes means for initiating processes on said workstation 10 tions with network resources. 

and daemon means for monitoring processes initiated by 21. A machine -readable program storage device for stor- 

said desktop means. ing encoded instructions for a method of providing user 

5. The system of claim 4 wherein said daemon means access to network providers, said method comprising the 
includes enumeration means for checking processes on the steps of: 

workstation against the information record received from 15 masking operation of the network providers while obtain- 

said server. ing user specific parameters relating to the user's 

6. The system of claim 1 wherein said workstation oper- allowed scope of access to the network providers; 
ating system program including a registry of processes, said enabling operation of the user only with the network 
desktop means including means for establishing said super- providers authorized based on the user specific param- 
vising means as the primary process of said registry. 20 eters; and 

7. The system of claim 6 wherein said supervising means monitoring the user's interaction with each network pro- 
includes supervisor means for logging onto said server vider and only allowing user actions consistent with the 
operating system with supervisor privileges. ^ specific para meters. 

8. The system of claim 7 wherein said supervisor means 2 2. The machine-readable program storage device of 
establishes user processes on said server according to said 25 claim 21 funher comprising encoded instructions for the 
user specific parameters. sle p c f blocking user access to resources via a security 

9. The system of claim 6 wherein said desktop means kemel> wherein said user specific parameters include a key 
includes means for clearing said registry of processes except for only allowing user access to resources via said security 
said supervising means. kernel, and further comprising the step of allowing user 

10. The system of claim 9 wherein said desktop means 30 access t0 resources up0D receip t 0 f a corresponding key 
includes neutralizing means for clearing all processes from from said dcsktop user interface. 

said registry except said supervising means and ending 23 The raach ine-readable program storage device of 

connections with network resources. claim 21 further comprising encoded instructions for the 

11. In a network of computers including a server and a step of monitoring processes initiated by the desktop user 
workstation, a method of providing user access to network 35 interface 

providers, said method comprising the steps of: 24 ^ mach ine-readable program storage device of 

masking operation of the network providers while obtain- c i aml 23 further comprising encoded instructions for the 

ing user specific parameters relating to the user's step 0 f checking processes on the workstation against the 

allowed scope of access to the network providers; user specific parameters, 

enabling operation of the user only with the network 40 25. The machine-readable program storage device of 

providers authorized based on the user specific param- claim 21 further comprising encoded instructions for the 

eters; and step of preventing unauthorized access to the network 

monitoring the user's interaction with each network pro- resources through said desktop. 

vidcr and only allowing user actions consistent with the 26. The machine-readable program storage device of 

user specific parameters. 45 claim 21 wherein a workstation operating system program 

12. The method of claim 11 further comprising the step of includes a registry of processes, further comprising encoded 
blocking user access to resources via a security kernel, instructions for the step of establishing a security process as 
wherein said user specific parameters include a key for only the primary process of said registry. 

allowing user access to resources via said security kernel, 27. The machine -readable program storage device of 

and further comprising the step of allowing user access to 50 claim 26 further comprising encoded instructions for the 

resources upon receipt of a corresponding key from said step of the security process logging onto said server oper- 

desktop user interface, ating system with supervisor privileges. 

13. The method of claim 11 further comprising the step of 28. The machine-readable program storage device of 
monitoring processes initiated by the desktop user interface. claim 27 further comprising encoded instructions for the 

14. The method of claim 13 wherein said monitoring step 55 step of establishing user processes on said server according 
includes the step of checking processes on the workstation to the user specific parameters. 

against the user specific parameters. 29. The machine-readable program storage device of 

15. The method of claim 11 further comprising the step of claim 26 further comprising encoded instructions for the 
preventing unauthorized access to the network resources step of clearing the registry of processes except for the 
through said desktop. 60 security process. 

16. The method of claim 11 wherein a workstation oper- 30. The machine-readable program storage device of 
ating system program includes a registry of processes, claim 29 further comprising encoded instructions for the 
further including the step of establishing a security process step of neutralizing the workstation by clearing all processes 
as the primary process of said registry. from the registry except the security process and ending 

17. The method of claim 16 further including the step of 65 connections with network resources, 
the security process logging onto said server operating 

system with supervisor privileges. ***** 
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